[webkit-changes] [228696] trunk

[dbates]

Title: [228696] trunk

Revision

228696

Author

dba...@webkit.org

Date

2018-02-19 10:34:07 -0800 (Mon, 19 Feb 2018)

Log Message

Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
https://bugs.webkit.org/show_bug.cgi?id=182905

Reviewed by Alex Christensen.

Return nullptr when querying for the scheme handler of the null string.

Before a navigation is performed WebKit checks if the destination URL is associated with an app
unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
If the URL is not associated with an app then WebKit may fall back to checking if the embedding
client registered a scheme handler for it. Currently we assume that the scheme is a non-null
string when checking the scheme handler registry. However the scheme can be a null string if
it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
for a scheme handler. Instead check that the scheme is a non-null string before checking to see
if it is in the scheme handler registry.

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::urlSchemeHandlerForScheme):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/WebPageProxy.cpp
• trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (228695 => 228696)

--- trunk/Source/WebKit/ChangeLog	2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Source/WebKit/ChangeLog	2018-02-19 18:34:07 UTC (rev 228696)
@@ -1,3 +1,24 @@
+2018-02-19  Daniel Bates  <daba...@apple.com>
+
+        Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
+        https://bugs.webkit.org/show_bug.cgi?id=182905
+
+        Reviewed by Alex Christensen.
+
+        Return nullptr when querying for the scheme handler of the null string.
+
+        Before a navigation is performed WebKit checks if the destination URL is associated with an app
+        unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
+        If the URL is not associated with an app then WebKit may fall back to checking if the embedding
+        client registered a scheme handler for it. Currently we assume that the scheme is a non-null
+        string when checking the scheme handler registry. However the scheme can be a null string if
+        it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
+        for a scheme handler. Instead check that the scheme is a non-null string before checking to see
+        if it is in the scheme handler registry.
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::urlSchemeHandlerForScheme):
+
 2018-02-19  Ms2ger  <ms2...@igalia.com>
 
         Explicitly qualify some method calls on this in lamdas in Service Worker code.

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (228695 => 228696)

--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2018-02-19 18:34:07 UTC (rev 228696)
@@ -7199,7 +7199,7 @@
 
 WebURLSchemeHandler* WebPageProxy::urlSchemeHandlerForScheme(const String& scheme)
 {
-    return m_urlSchemeHandlersByScheme.get(scheme);
+    return scheme.isNull() ? nullptr : m_urlSchemeHandlersByScheme.get(scheme);
 }
 
 void WebPageProxy::startURLSchemeTask(URLSchemeTaskParameters&& parameters)

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm (228695 => 228696)

--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm	2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm	2018-02-19 18:34:07 UTC (rev 228696)
@@ -561,6 +561,29 @@
     TestWebKitAPI::Util::run(&done);
 }
 
+@interface DecidePolicyForNavigationActionForMalformedURLDelegate : NSObject <WKNavigationDelegate>
+@end
+
+@implementation DecidePolicyForNavigationActionForMalformedURLDelegate
+
+- (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation
+{
+    finishedNavigation = true;
+}
+
+@end
+
+TEST(WebKit, DecidePolicyForNavigationActionForMalformedURL)
+{
+    auto webView = adoptNS([[WKWebView alloc] init]);
+    auto controller = adoptNS([[DecidePolicyForNavigationActionForMalformedURLDelegate alloc] init]);
+    [webView setNavigationDelegate:controller.get()];
+
+    finishedNavigation = false;
+    [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"N"]]];
+    TestWebKitAPI::Util::run(&finishedNavigation);
+}
+
 #endif
 
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes